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INTEGRATION OF AUTHENTICATION an IP address to use or a pool identification of an IP address 

AUTHORIZATION AND ACCOUNTING P 00 * fr° m which an IP address needs to be allocated). The 

SERVICE AND PROXY SERVICE *SP then grants the user access to the network based upon the 

reply it gets back from the corporation. This technique is 

BACKGROUND OF THE INVENTION 5 called "proxying." This is shown in FIG. 2. 

4 c . T To be able to do this, the ISP maintains minimal infor- 

1. Field of the Invention mation Qn {{& prQxy sefver 14 at {{s PoR lnformation such as 

The present invention relates to the field of data commu- sup p 0 rted domain names, the IP address to which the 

nications networks. More particularly, this invention relates transaction is to be sent, the port number to which the 

to a method and apparatus for unifying the operation of transaction is to be addressed, etc. are stored (see FIG. 3). 
authentication, authorization and accounting services and For example, turning now to FIG. 2, user Joe@corpa.com 

proxy services in a data communications network. fa]s in 40 to NAS r A PPP (point to point protocol) session 

2. The Background is raised between Joe and NAS,. An IPCP (internet protocol 
ISPs (Internet Service Providers) and Telcos (telephone control protocol) session 42 is raised between NAS^ud 

companies) typically offer wholesale internet access and 1S proxy service 44. In response NAS X sends a RADIUS 

retail internet access to their subscribers. Wholesale access (Remote Authentication Dial-In User Service protocol) 

is typically offered to subsidiary and specialized service access-request to proxy service 44. ] ^ 

?j ' ™ ,~ .... i A . c^w™ n consults its local configuration database 16. Proxy service 

providers, CLECs (Competitive Local ^change Ca^rs), ^ ^ a dete ^ minatioD about wbere t0 ' send the 

corporations, and Community of Interest (COI) providers, access-request packet. Here it decides to send it to the AAA 
Naturally, the processing afforded customers of the whole- 20 4 jj mamUined m the CorpA domain 50 . The Cbrp A 
sale variety differs from the processing afforded customers AAA4H lhen con s U lts its local database 52 and authenticates 
of the retail variety. Subscriber information for individual j oe @corpa.com. Corp A AAA 48 then returns an access- 
wholesale users is usually stored by those who lease data accept packet tQ proxy service 44 Wfl ich, in turn, sends an 
communications network access from the ISP or Telco. access-accept packet to NAS 1 completing the log-in of 
Hence, corporations, CLECs and COI providers do not 25 joe@corpa.com. 

normally share their user information with the wholesale WheQ ^ SUDS criber is granted access, or leaves the 

providers. The ISP or Telco, however, typically also has its netW ork, the accounting transactions will now have to be 

own retail subscribers whose user information is stored in its shared with the wholesale customers of the ISP/Telco. That 

databases. Hence, the ISP or Telco must identify an incom- ^ the isp/Telco will keep a record with which to bill or 

ing user as a wholesale user or a retail user and initiate 3Q J Derw js e accourJ t to CorP A for services rendered and the 

different actions for an incoming user based upon this status. record win als0 need t0 De t0 Corps's AAA. Typically, 

See, for example, FIG. 1 where a pure retail environment me wholesale provider (e.g., the ISP) will use a roaming 

has a number of network access servers (NAS^ NAS 2 and service product such as the Global Roaming Server™ 

NAS 3 ) which provide data communications portals to the (GRS), a product of Cisco Systems, Inc. of San Jose, Calif., 

ISP's point of presence (PoP) on the data communications 35 t0 achieve this objective. In the retail case, the ISP/Telco will 

network. Each NAS is in communication with a conven- use a product like Cisco Secure™, a product of Cisco 

tional AAA (authentication, authorization and accounting) Systems, Inc., to act as an authentication, authorization and 

service maintained by the ISP. Incoming users connect to the accounting (AAA) service to authenticate and authorize the 

NASes by dialing in over the telephone network or in user This approach, however, poses some problems for the 

another conventional manner. 40 ISP/Telco. 

Traditional wholesale ISPs and Roaming Service Provid- The ISP/Telco needs to maintain two different sets of 

ers offer network access through a technique called NASes as diagrammed in FIG. 4 or it has to pipe all 

"Authentication proxying." Proxying involves the transfer transactions through a GRS (proxy service) as diagrammed 

of the Authentication responsibility to the "owner*' of the m pio. 5 which then has to make a decision as to whether 

subscriber. Thus, if a corporation was to outsource its 45 the access-request transaction will be locally processed by 

corporate intranet to an ISP, what it gives up is the mainte- tn e ISP/Telco (retail user) or remotely processed by the 

nance of its dial-up servers (i.e., the NASes). It does not, wholesale customer (wholesale user). The two products are 

however, normally want to give up the control or informa- independent products which maintain their own databases, 

tion of its employees. Hence, when a corporate user dials in They do not at present support a distributed architecture and 

to such an ISP's network access servers, the user essentially 50 hence will not scale by the number of PoPs users, etc. This 

perceives that the user is dialing into a corporate facility poses the problem that multiple instantiations of the GRS 

when the user is actually dialing into the ISP's domain and need to be configured and will not be able to properly 

then somehow gaining admittance to the corporation's intra- i oac j balance among the various NASes available at the PoP. 

net. Furthermore, should a GRS go down, the PoP may lose the 

What really happens in that scenario is that the ISP 55 services of the NASes in communication with the GRS that 

determines that the user belongs to Corporation A(Corp A ) by failed. 

parsing either the fully qualified domain name (FQDN) Accordingly, it would be desirable to provide a capability 

supplied by the user, a DNIS ID, or some other mechanism. f or allowing ISPs and Telcos to seamlessly offer wholesale 

Having determined that the user trying to gain access and re tail data communications network access, unify the 

belongs to Corp A , the ISP cannot really authenticate the user. 60 disparate systems that specialize in these access control 

As noted earlier, the user's record is still with the corpora- segments and scale both systems to simultaneously reside on 

tion. Hence, the ISP will "proxy" out the authentication a plurality of PoPs while behaving in a distributed manner 

transaction to the corporation. An AAA service within the within the data communications network, 

corporation then identifies the user, verifies the password, ciTXyfxyrAuv hp thp tmvpntton 

and provisions the user. Then the AAA service notifies the 65 SUMMARY OF THE INVENTION 

ISP's proxy server that the user is acceptable and passes A single database maintained centrally hosts both proxy 

along provisioning details associated with the user (such as service data and authentication, authorization and account- 
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ing (AAA) data. Data is then copied to storage used locally invention will readily suggest themselves to such skilled 

by each system when both systems are instantiated. There- persons after a perusal of the within disclosure, 

fore the lSP/Ielco need not maintain two different data In accordance with a presently preferred embodiment of 

bases. Aprotocol gateway (PGW) is used to determine if the the present invention, the components, processes and/or data 

incoming user is a wholesale or retail user. The PGW filters 5 structures are implemented using a gateway device and other 

the domain portion of the access request to locate a remote services impkmented using C++ P ro ^ s § 

^AAservicTlf one such service is found, the PGW routes Enterprise 2000™ se 

the communication via the GRS to proxy it to the remote ^Z^S^^^L JSSL from Sun 
AAAsemce. The returned packet from d* remote AAA ™ ^ y of Mount P ain vi ew, Calif. Different 
service is then searched for an IP address to be assigned to 10 fa lem ; ntations may 5e ^ d md may other types 
the incoming user. If one is not found the PGW obtains a of ating sys tems, computing platforms, computer 
dynamically allocated IP address from a DHCP server (using programS) firmware and/or general purpose machines. In 
an IP-Pool-ID if supplied in the returned packet from the addition, those of ordinary skill in the art will readily 
remote AAA service). The same mechanism is used to recognize that devices of a less general purpose nature, such 
forward accounting event packets from the NAS to the 15 ^ hardwired devices, devices relying on FPGA (field pro- 
remote AAA service. The PGW may monitor more than one grammable gate array) or ASIC (Application Specific Inte- 
proxy service and/or AAA service and load balance among grated Circuit) technology, or the like, may also be used 
them. without departing from the scope and spirit of the inventive 

concepts disclosed herein. 

BRIEF DESCRIPTION OF THE DRAWINGS 2 n The protocol gateway (PGW or gateway) is a device 

i . . nfocwip icponP which couples the user via a network access server (NAS) to 

FIG. 1 is a system block diagram of a simple ISP PoP ^ ^ J mmunications network . ^ term gateway nol 

using a conventional retail-only paradigm. meam {q be tQ a singU type of device> M any device , 

FIG. 2 is a system block diagram of wholesale ISP PoP hardware or software, that may act as a bridge between the 

using a conventional wholesale-only paradigm. 25 user an d the network may be considered a gateway for the 

FIG 3 is a diagram illustrating the information main- purposes of this application. In accordance with a presently 

tained by a conventional proxy server. preferred embodiment of the present invention, the PGW is 

HG. 4 is a system block diagram of an ISP PoP having J-J STre'X 

non-integrated retail and wholesale components. ~We from Cisco Systems, Inc. of San Jose, Calif. 

FIG. 5 is a system block diagram of an ISP PoP using a authentication, authorization and accounting (AAA) 

Global Roaming Server (GRS) proxy service to integrate ^ ^ autheaticatioDj ^ auth orization and 

wholesale and retail functions. ^ accounting functions. It may be a Cisco ACSTM 

FIG. 6 is a system block diagram of an ISP PoP using a pro duce such as Cisco Secure™, available from Cisco 

protocol gateway (PGW) in accordance with a presently 3s SystemSj Inc . 0 f San Jose, Calif., or an equivalent product, 

preferred embodiment of the present invention to integrate fa accordance ^h a presently preferred embodiment of the 

wholesale and retail functions and perform load balancing. pre sent invention, the Remote Authentication Dial-In User 

FIG. 7 is a system block diagram of an ISP NOC, broker Service (RADIUS) protocol is used as the communication 

publisher system and PoP in accordance with another pre- protocol between the gateway and the AAA and GRS proxy 

ferred embodiment of the present invention. 40 services. RADIUS is an Internet standard track protocol for 

FIG. 8 is a system block diagram of a broker publisher carrying authentication, authorization, accounting and con- 
system used in accordance with a preferred embodiment of figuration information between devices that desire to authen- 
the present invention. ticate their links and a shared AAA or GRS service. Those 

FIG. 9 is a flow diagram detailing a process by which the of ordinary skill in , the art will realize that other Internet 

AAA service and its associated database are instantiated in 45 protocols such as TACACS+ can be used as acceptable 

accordance with a presently preferred embodiment of the authentication communications links between the various 

t invent : on communications devices that encompass the data commu- 

P „ " . ' , . , . • _ . xMfJ u a nications network and still be within the inventive concepts 

FIG. 10 is a flow diagram detailing a process by which a ^ ^ roamin (QRS) fe ^ 

proxy service and its associated database are instantiated m which ^ able of proxying transactions to 

accordance with a presently preferred embodiment of the ^ ft ^ prefera51y ^ mc radius 

present invention. protocol Qr aQ equivalent 

FIG. 11 is a flow diagram detailing a user authentication Qne ^ whicfa ±c presem invention may come into 

and authorization process in accordance with a presently ^ mvolves the concept Q f roaming users. A roaming user 

preferred embodiment of the present invention. s$ ^ for examplej a traveling person with a lap top. If the 

FIG. 12 is a flow diagram detailing a load balancing person wants to reach a corporate intranet or local ISP, he or 

process in accordance with a presently preferred embodi- sne caD ^ <jial the number of the home PoP (point of 

ment of the present invention. presence) and incur potentially large telephone bills; (2) dial 

FIG. 13 is a flow diagram detailing an accounting process a "toll free" number such as an 800 number which can also 

in accordance with a presently preferred embodiment of the 60 be expensive — to the provider; or (3) use a global roaming 

present invention. server model. In the global roaming server model, ISPs with 

PoPs in different locations make cross- agreements with one 

DETAILED DESCRIPTION OF THE another so'as to provide local telephone access numbers to 

PREFERRED EMBODIMENTS ISPs wilhout any ot her (or a sufficient) presence in a 

Those of ordinary skill in the art will realize that the 65 location. To the user, it appears that his ISP has PoPs 

following description of the present invention is illustrative everywhere that there is a roaming agreement in place with 

only and not in any way limiting.. Other embodiments of the a cooperating ISP. 
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A global roaming service ("GRS") at a PoP can parse the present invention can be Common Object Request Broker 

fully qualified domain name ("FQDN") of the user (e.g., Architecture (CORBA)-based. The CORBA-based mforma- 

joe@ISPA.NET) and determine that Joe belongs to ISPA- tion bus is capable of handling the communication of events 

.NET. The GRS can then send an authentication request to to and from objects in a distributed, multi-platform envi- 

ISPA-NET's AAA server to authenticate and authorize Joe in 5 ronment. The concept of a CORBA-based information bus is 

a conventional manner. Accounting event information, e.g., well known by those of ordinary skill in the art. Other 

accounting start packets associated with log-in and account- acceptable communication languages can be used as are also 

ing stop packets associated with log-out, are sent both to the known by those of ordinary skill in the art. 

GRS at the local PoP and to ISPA.NET's AAA server to CORBA provides a standard way of executing program 
enable the local PoP to account for use by Joe at the local 3Q mo dules in a distributed environment. A broker 24, 

PoP and so bill ISPA.NET, if desired, and to allow ISPA- therefore, may be incorporated into an Object Request 

.NET to bill Joe, ifdesired.lt also provides a mechanism for Broker (ORB) within a CORBA compliant network. To 

tracking this type of usage which can serve a number of make a re q uest 0 f an ORB, a client may use a dynamic 

purposes. invocation interface (which is a standard interface which is 

GRSes have their own associated databases which keep independent of the target object's interface) or an Object 

lists of remote AAAs, their IP addresses, their port numbers Management Group Interface Definition Language (OMG 

and their associated domain names. IDL ^ smb ^ me spec ffi c stu b depending on the interface of the 

To render the roaming model more tenable to the myriad { { object). For some functions, the client may also 

IPSs and Telcos which might see fit to enter into these dkectl with the qrb. The object is then invoked, 

cross-agreements and thus make roaming easier for the end WheQ aQ occurSj the ORB core arranges so a call 

users, the process must be ™P^»^ m ^. * a ^^ is made to the appropriate method of the implementation. A 

Under the prior model, as shown in F G. 6, each GRS and that method specifies the object being invoked, 

AAA had us own associated stand-alone. data ^se whic h p P ^ ^ 

required maintenance from time to time. Multiple instances „" l " c , . , , ^ „ rait „ 11t 

o/such databases required individual maintenance. In many When the method is 

situations NAS resources were committed to a particular 25 parameters or exception results to be transmitted back to the 

AAA or GRS at a PoP and not capable of load balancing. client. 

FIG. 7 is a system block diagram of an improved system In accordance with a presently preferred embodiment of 

in accordance with a presently preferred embodiment of the the present invention an Enterprise Application Integration 

present invention. A data communications network 10 such (EAI) system is used to broker the flow of information 

as the internet, or an ISPs presence on the internet, or a 30 between the various services and adapters comprising the 

corporate intranet, or the like, includes a network control data network management system of the present invention, 

console (NCC) 12 which is physically located on a host 14 An example of an EAI system that can be incorporated in the 

within a Network Operations Center (NOC) 16. The NCC 12 presently preferred invention is the ActiveWorks Integration 

is an application running on the host 14. The NCC 12 System, available from Active Software of Santa Clara, 

monitors and manages the data communications system. The 35 Calif. As shown in FIG. 8, such an EAI system 26 uses an 

NCC 12 is in communication with a database 18 and an information broker 24 as the hub of the system. The infor- 

access database adapter 20. mation broker 24 acts as the central control and storage point 

The database 18 and access database adapter 20 can run for the system. The information broker 24 can reside on a 
on the same host 14 as the NCC 12, as depicted in FIG. 7, server and serves to mediate requests to and from networked 
or the database 18 and the access database adapter 20 can be 40 clients; automatically queuing, filtering and routing events 
located on more than one device. The database 18 stores while guaranteeing delivery. The information broker 24 is 
information related to the various components and services capable of storing subscription information and using such 
comprising the data communications network. 10 being subscription information to determine where published 
managed. The system administrator accesses the informa- information is to be sent. Referring back to FIG. 7, the 
tion in the database 18, as needed, in conjunction with the 45 information broker 24 is shown as being located at a point 
NCC 12, to perform the overall network management task. along the information bus 22. In most instances the, broker 
The access database adapter 20 is in communication with will be located within the same NOC 16 as the host 14 that 
both the database 18 and the NCC 12. This adapter, and runs the NCC 12 application. Another key feature to the EAI 
other adapters in the invention, provide bi-directional map- system 26 of FIG. 8 is the use of adapters 28a, 286, and 28c 
ping of information between the NCC 12 and other services 50 that allow users of the EAI system 26 to integrate diverse 
comprising the data communications network 10. Adapters, applications and other information when using the uitegra- 
such as the access database adapter 20 subscribe to and tion system. Adapters 28a, 286, and 28c provide 
publish events. An event is an independent entity which bi-directional mapping of information between an applica- 
contains an unspecified amount of non-time critical infor- tion's native format and integration system events, enabling 
mation. For example, the access database adapter 20 55 all custom and packaged applications, databases, and Inter- 
receives commands from the NCC 12 to publish an event. net and other network applications to exchange information. 
The information contained in the event may be found in the As shown in FIG. 8 the adapters 28a, 286, and 28c run in 
NCC's request or the access database adapter 20 may association with the various services 30a, 306, and 30c from 
communicate with the database 18 to find the required which information is published and subscribed on to an 
information. A detailed discussion of some of the specific 60 information bus 22 that has its hub at the broker 24. 
events pertinent to this invention and the information found Referring back to FIG. 7 the information bus 22 is in 
therein is provided later in this disclosure. The event is then communication with a Point of Presence (POP) 32 within 
published to other services and components within the data the data communications network 10. The PoP 32 is one of 
network management system across an information bus 22 many PoPs that the information bus 22 is in communication 
which may be the data communications network itself. 65 with. Located within PoP 32 is a host or node 34 which may 
The information bus 22 that serves as the transportation comprise one or more computing devices on which some or 
medium for the presently preferred embodiment of the all of the services shown in FIG. 7 may be running. The node 
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34 is in communication with the information bus 22 through NCC 12. The service adapters update their corresponding 

a control adapter 29 which provides control communications configuration files upon receiving a configure event. An 

with the various services 30a, 30b, 30c, 30a", 30e through example of the information contained within a configure 

their respective service adapters 28a, 286, 28c, 28d, 7Se via event includes the GUID (global unique identifier) of the 

service adapter 31 of control adapter 29. 5 publisher, the GUID of the subscriber, listening port 

By way of example, the node 34 of FIG. 7 is configured configuration, sink port configuration, protocol handler 
with a PGW 30a, an authentication, authorization and information, engine data and facility data, 
accounting (AAA) service 30c, a domain name system The NCC 12 publishes "start" events that are subscribed 
(DNS) service 30e, a dynamic host configuration protocol to by a control adapter such as control adapter 29 associated 
(DHCP) service 30d and a pair of GRS services 306. Those *o with a host computer at a node to cause the control adapter 
of ordinary skill in the art will appreciate that the services to start up one or more specific services. Since the control 
shown are not intended to be limiting and that other services adapter is always responsible for starting a service, the start 
and other service configurations can be used without depart- events are always subscribed to by the control adapters as 
ing from the inventive concepts herein disclosed. The sys- opposed to the service adapters. An example of the in for- 
te m services may also be distributed over two or more 15 mation contained within a start event includes the GUID of 
servers to provide improved performance and redundancy. the publisher, the GUID of the subscribing control adapter, 

The protocol gateway service 30a is used to couple the the GUID of the service to be started, the service name and 

network user to the data communication network. The the absolute path where the service binary resides. The 

protocol gateway service 30a functions as an interface to the access database adapter 20 of the NCC 12 also publishes 

NASes that allows access requests received from a user to be 20 "stop" events that are subscribed to by the control adapter to 

serviced using components that may communicate using cause the control adapter to shut down a specific service or 

different protocols. A typical protocol gateway service 30a multiple services. Since the control adapter is always 

may be able to support different user access methodologies, responsible for stopping a service, the stop events are always 

such as dial-up, frame relay, leased lines, ATM subscribed to by the control adapter as opposed to the 

(Asynchronous Transfer Mode), ADSL (Asymmetric Digital 25 service adapters. Once the control adapter receives the stop 

Subscriber Line) and the like. Used in conjunction with the event, it publishes a stop event to the service adapter of the 

protocol gateway service 30a, the AAA service 30c per- corresponding service. The control adapter allows the ser- 

forms user authentication, authorization and accounting vice sufficient time to shut down. If the service does not 

functions. The AAA service 30c stores user profile informa- respond to the stop event and continues running the control 

tion and tracks user usage. The profile information stored in 30 adapter can explicitly kill the service based on the process 

the AAA service 30c is proxied to the protocol gateway ID found in the configuration file. An example of informa- 

service 30a when a network user desires network access. tion contained within a start event includes the GUID of the 

The DNS service 30e is used to return Internet protocol publisher, the GUID of the subscribing control adapter, the 

(IP) addresses in response to domain names received, for GUID of the service to be stopped and the name of the 

example, from a protocol gateway service 30a. For example, 35 ^rvice to be stopped. 

if the DNS service 30c receives a domain name query from Other events may be published and subscribed to. 

the protocol gateway service 30a, it has the capability to The configure event is used to publish the current contents 

locate the associated numerical IP address from within the of a master database relevant to GRS and AAA services at 

memory of the DNS service (or another DNS service) and the various nodes of the data communications network. Thus 

return this numerical IP address to the protocol gateway the master database may be maintained and serviced at the 

service 30a. NOC or some other convenient facility and the AAA ser- 

The DHCP service 30a* is used as a dynamic way of vices and GRS services updated with information automati- 

assigning IP addresses to the network users as well known cally without the need to manually update their separate 

to those of ordinary skill in the art. 45 databases. 

Each of these services 30a, 30b, 30c, 30d, 30e is in The PGW is used as a protocol gateway between the 

communication with a corresponding service adapter 28a, NASes and the AAA and GRS services. The PGW parses the 

286, 28c, 2Sd, 28c. The service adapter subscribes to and FQDN of incoming users and sends access requests from 

publishes various events on the information bus 22. The local users to the local AAA and access requests for roaming 

service adapter is configured so that it subscribes to events 50 users to the GRS. The GRS, in turn, forwards the access 

published by the access database adapter 20 of the NCC 12. requests to the remote AAA belonging to the user's provider 

The service adapter also publishes events to the access in accordance with the conventional proxy model, 

database adapter 20 of the NCC 12. The PGW has the ability to load balance by monitoring 

The following is an exemplary listing and definition of the condition and response times of its respective GRS 

some of the events published by and subscribed to by the 55 services and AAA services. Thus, if one such services is 

access database adapter and the service adapters which are particularly loaded, incoming calls may be directed to other 

pertinent to this invention. This listing is by way of example services. If one such server has crashed or becomes non 

and is not intended to be exhaustive or limiting in any way. responsive, it may be bypassed. In the present configurations 

Other events are possible and can be used in this invention where NASes are direcdy connected to a GRS and or an 

without departing from the inventive concepts herein dis- 60 AAA service, a dead service can result in the NASes 

closed. connected to the dead service becoming non- responsive. 

The NCC 12 publishes "configure" events to the service This condition is avoided by using the PGW as a front end 

adapters 28a, 28b, 28c, 28a", 2Se. Configure events are to the GRS and AAA service. 

published to configure the service adapters upon initial start In accordance with the present invention IP addresses may 

up of the service adapters or to modify a preexisting con- 65 be assigned to incoming users in a number of ways. For 

figuration. A configure event can be delivered to a service users having permanently or otherwise allocated IP 

adapter directly from the access database adapter 20 at the addresses reflected in their user service profiles in their 



